When a client application connects to the database server, it specifies which
PostgreSQL user name it wants to connect as,
much the same way one logs into a Unix computer as a particular user.
Within the SQL environment the active
database user name determines access privileges to database
objects -- see Chapter 7 for more information
about that. It is therefore obviously essential to restrict which
database user name(s) a given client can connect as.

Authentication is the process by which the
database server establishes the identity of the client, and by
extension determines whether the client application (or the user
who runs the client application) is permitted to connect with the
user name that was requested.

PostgreSQL offers a number of different
client authentication methods. The method to be used can be selected
on the basis of (client) host and database; some authentication methods
allow you to restrict by user name as well.

PostgreSQL database user names are logically
separate from user names of the operating system in which the server
runs. If all the users of a particular server also have accounts on
the server's machine, it makes sense to assign database user names
that match their operating system user names. However, a server that accepts remote
connections may have many users who have no local account, and in such
cases there need be no connection between database user names and OS
user names.

Client authentication is controlled by the file
pg_hba.conf in the data directory, e.g.,
/usr/local/pgsql/data/pg_hba.conf. (HBA stands
for host-based authentication.) A default pg_hba.conf
file is installed when the
data area is initialized by initdb.

The general format of the pg_hba.conf file is
of a set of records, one per line. Blank lines and lines beginning
with a hash character ("#") are ignored. A record is
made up of a number of fields which are separated by spaces and/or
tabs. Records cannot be continued across lines.

Each record specifies a connection type, a client IP address range
(if relevant for the connection type), a database name or names,
and the authentication method to be used for connections matching
these parameters.
The first record that matches the type, client address, and requested
database name of a connection attempt is used to do the
authentication step. There is no "fall-through" or
"backup": if one record is chosen and the authentication
fails, the following records are not considered. If no record
matches, the access will be denied.

This record pertains to connection attempts over TCP/IP
networks. Note that TCP/IP connections are completely disabled
unless the server is started with the -i switch or
the equivalent configuration parameter is set.

hostssl

This record pertains to connection attempts with SSL over
TCP/IP. To make use of this option the server must be
built with SSL support enabled. Furthermore, SSL must be
enabled with the -l option or equivalent configuration
setting when the server is started. (Note: host
records will match either SSL or non-SSL connection attempts, but
hostssl records match only SSL connections.)

database

Specifies the database that this record applies to. The value
all specifies that it applies to all
databases, while the value sameuser identifies the
database with the same name as the connecting user. Otherwise,
this is the name of a specific PostgreSQL
database.

IP addressIP mask

These two fields specify to which client machines a
host or hostssl
record applies, based on their IP
address. (Of course IP addresses can be spoofed but this
consideration is beyond the scope of
PostgreSQL.) The precise logic is that

(actual-IP-address xor IP-address-field) and IP-mask-field

must be zero for the record to match.

authentication method

Specifies the method that users must use to authenticate themselves
when connecting under the control of this authentication record.
The possible choices are summarized here,
details are in Section 4.2.

trust

The connection is allowed unconditionally. This method allows
any user that has login access to the client host to connect as
any PostgreSQL user whatsoever.

reject

The connection is rejected unconditionally. This is mostly
useful to "filter out" certain hosts from a group.

password

The client is required to supply a password which is required to
match the database password that was set up for the user.

An optional file name may be specified after the
password keyword. This file is expected to
contain a list of users who may connect using this record,
and optionally alternative passwords for them.

The password is sent over the wire in clear text. For better
protection, use the md5 or
crypt methods.

md5

Like the password method, but the password
is sent over the wire encrypted using a simple
challenge-response protocol. This protects against incidental
wire-sniffing. This is now the recommended choice for
password-based authentication.

The name of a file may follow the
md5 keyword. It contains a list of users
who may connect using this record.

crypt

Like the md5 method but uses older crypt
encryption, which is needed for pre-7.2
clients. md5 is
preferred for 7.2 and later clients. The crypt
method is not compatible with encrypting passwords in
pg_shadow, and may fail if client and server
machines have different implementations of the crypt() library
routine.

krb4

Kerberos V4 is used to authenticate the user. This is only
available for TCP/IP connections.

krb5

Kerberos V5 is used to authenticate the user. This is only
available for TCP/IP connections.

ident

The identity of the user as determined on login to the
operating system is used by PostgreSQL
to determine whether the user
is allowed to connect as the requested database user.
For TCP/IP connections the user's identity is determined by
contacting the ident server on the client
host. (Note that this is only as reliable as the remote ident
server; ident authentication should never be used for remote hosts
whose administrators are not trustworthy.)
On operating systems
supporting SO_PEERCRED requests for Unix domain sockets,
ident authentication is possible for local connections;
the system is then asked for the connecting user's identity.

On systems without SO_PEERCRED requests, ident authentication
is only available for TCP/IP connections. As a workaround,
it is possible to
specify the localhost address
127.0.0.1 and make connections
to this address.

The authentication option following
the ident keyword specifies the name of an
ident map that specifies which operating
system users equate with which database users. See below for
details.

pam

This authentication type operates similarly to
password, with the main difference that
it will use PAM (Pluggable Authentication Modules) as the
authentication mechanism. The authentication
option following the pam keyword
specifies the service name that will be passed to PAM. The
default service name is postgresql.
For more information about PAM, please read the Linux-PAM
Page and/or the Solaris PAM
Page.

authentication option

This field is interpreted differently depending on the
authentication method, as described above.

Since the pg_hba.conf records are examined
sequentially for each connection attempt, the order of the records is
very significant. Typically, earlier records will have tight
connection match parameters and weaker authentication methods,
while later records will have looser match parameters and stronger
authentication methods. For example, one might wish to use
trust authentication for local TCP connections but
require a password for remote TCP connections. In this case a
record specifying trust authentication for connections
from 127.0.0.1 would appear before a record specifying password
authentication for a wider range of allowed client IP addresses.

The pg_hba.conf file is read on start-up
and when the postmaster receives a
SIGHUP signal. If you edit the file on an
active system, you will need to signal the postmaster
(using pg_ctl reload or kill -HUP)
to make it re-read the file.

An example of a pg_hba.conf file is shown in
Example 4-1. See below for details on the
different authentication methods.

Example 4-1. An example pg_hba.conf file

# TYPE DATABASE IP_ADDRESS MASK AUTHTYPE MAP
# Allow any user on the local system to connect to any
# database under any username, but only via an IP connection:
host all 127.0.0.1 255.255.255.255 trust
# The same, over Unix-socket connections:
local all trust
# Allow any user from any host with IP address 192.168.93.x to
# connect to database "template1" as the same username that ident on that
# host identifies him as (typically his Unix username):
host template1 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database "template1"
# if the user's password in pg_shadow is correctly supplied:
host template1 192.168.12.10 255.255.255.255 md5
# In the absence of preceding "host" lines, these two lines will reject
# all connection attempts from 192.168.54.1 (since that entry will be
# matched first), but allow Kerberos V5-validated connections from anywhere
# else on the Internet. The zero mask means that no bits of the host IP
# address are considered, so it matches any host:
host all 192.168.54.1 255.255.255.255 reject
host all 0.0.0.0 0.0.0.0 krb5
# Allow users from 192.168.x.x hosts to connect to any database, if they
# pass the ident check. If, for example, ident says the user is "bryanh"
# and he requests to connect as PostgreSQL user "guest1", the connection
# is allowed if there is an entry in pg_ident.conf for map "omicron" that
# says "bryanh" is allowed to connect as "guest1":
host all 192.168.0.0 255.255.0.0 ident omicron
# If these are the only two lines for local connections, they will allow
# local users to connect only to their own databases (database named the
# same as the user name), except for administrators who may connect to
# all databases. The file $PGDATA/admins lists the user names who are
# permitted to connect to all databases. Passwords are required in all
# cases. (If you prefer to use ident authorization, an ident map can
# serve a parallel purpose to the password list file used here.)
local sameuser md5
local all md5 admins